I have a group of users that use an archaic web program to input data. A few times a day they need to have an IISReset done because the program locks up IIS. They put in their Spiceworks ticket and someone in the IT Department will then do the reset for them.

The problem with this arrangement is that sometimes there is no one available to do the IISReset so this group of people are "stuck" for however long it takes for one of us to do the reset for them.

My director's answer to this is, lets give their team lead the ability to do the IISReset himself without our involvement. As a department we are OK with this as long we can do this without allowing this user administrative privileges on the server in question (this group is probably the least technical out of the entire company).

My current line of thinking was to create a scheduled task with our service account as the running user and giving the user in question NTFS permissions to the task and then running "schtasks /run /s <server> /tn <task name>" from the users local machine. The problem with this is that we get an access denied unless the user is in the administrators group of the server in question.

Does anyone know if there is a way around this or another way of accomplishing what we are trying to do?

After further digging, it became apparent that a full blown IISReset (which requires Admin rights, as we all know) wasn't exactly needed. Stopping and starting the W3SVC was enough to do the trick in this instance. So I created a batch file that uses the SC command to stop and start the service and the only permissions needed was "power user" rights on the remote server.

Access denied, you must be an administrator of the remote computer to use this
command. Either have your account added to the administrator local group of
the remote computer or to the domain administrator global group.

I know this might be kind of obvious, but it certainly seems your archaic software needs to be updated to something that doesn't require 2-3 man hours a day to reset. Do your higher ups not realize how much money they are losing?

This person is a verified professional.

OK so you might want to try your original thought with the scheduled task. On an old web server we have (also 2003) I have it set to run C:\WINDOWS\system32\iisreset.exe /restart and this runs as a domain admin. I would assume if you gave the user access via RDC they could do this without local admin rights, since it will be running as another account.

Sean, I had the same thought, but due to the limited technical skills of the individual, we would prefer to do a shortcut on his local PC for him to double click versus him having to RDP into the server.

We are thinking with the least path of resistance we will be able to dump this menial task back on the group that uses the program and freeing up our resources, but for this to happen it needs to be the least complicated way imaginable.

Think of it this way, would you want your grandpa RDPing on to your web server?

After further digging, it became apparent that a full blown IISReset (which requires Admin rights, as we all know) wasn't exactly needed. Stopping and starting the W3SVC was enough to do the trick in this instance. So I created a batch file that uses the SC command to stop and start the service and the only permissions needed was "power user" rights on the remote server.

0

This topic has been locked by an administrator and is no longer open for commenting.